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5. Evidence of conception is shown by Exhibit A, which is a true copy of a 
technical specification entitled "3-D Secure Business Requirements and 
Technical Approach - VisaGold Version 1.0." 
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Introduction 

The 3-D Secure architecture uses a distributed computing model to 
communication messages between Verified by Visa enabled merchants and 
Access Control Servers (ACS). In this approach, no central point exists to collect 
information, monitor system performance, and report on the interaction between 
each of the transaction participants. In order to manage this service Visa must 
ask each end point - Issuers and merchants - to collect and provide statistics to 
Visa personnel in order to determine how the service is performing. The data 
available at each end point differs in the manner in which it is collected and 
quality and quantity of data available for collection. This approach to managing 
and monitoring the operational performance of the service has proven to be 
administratively cumbersome and time consuming, requiring a lot of support from 
each end point and Visa. 

This document describes the general business requirements and technical 
approach to extend the existing 3-D Secure architecture to provide a systematic 
way to collect information, monitor system performance of each end point, and 
manage the interactions between these end points. This approach is referred to 
as VisaGold. 



VisaGold General Business Requirements 

There are a number of general business requirements that VisaGold must 
support. These are outlined below. More specific business requirements are 
described in subsequent sections. 

Primary Business Objective Provide Visibility to 3-D Secure 
Processing 

The primary business objective of VisaGold is to increase the reliability and 
monitoring of the Verified by Visa service by allowing Visa to participate in all of 
the 3-D Secure transaction flows. This means VisaGold will log all activity 
between each participant in a Verified by Visa transaction and provide a way to 
correlate each message cycle - VEReq/VERes, PAReq/PARes, and 
PATransReq/PATransRes - in to one complete view of a 3-D Secure 
authentication. Collection of this information will be used to measure, monitor, 
and report on the performance of Verified by Visa service end point. 
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2.2 Provide a Response on behalf of an ACS 

The VisaGold platform is between the DS and the ACS during VEReq/VERes 
processing, between the cardholder and the ACS during PAReq/PARes 
processing, and between the ACS and AHS during PATransReq/PATransRes 
processing. If an ACS becomes unavailable while processing an authentication 
request, or otherwise does not respond in a timely fashion, VisaGold can 
generate a response on behalf of the ACS. The implementation of VisaGold 
provides a high assurance that all Verified by Visa transactions will complete 
successfully. 

23 Provide a way to Manage interoperability between MPI's and 
ACS's 

The implementation of VisaGold will provide a way to manage the quality of data 
received from participating merchants by providing a single platform through 
which all transactions are processed. In the same manner, the implementation of 
VisaGold will also provide a way to manage the quality of data returned by 
participating Issuer ACS's. 

2.4 Authentication Integrity, Data Quality, and Systematic Solution 

The Internet has proven to be a high growth market segment and is expected to 
represent significant sales volume over the years. The implementation of 
VisaGold provides a comprehensive way to record all Verified by Visa activity in 
a single place. This single source of information can be used to measure, 
manage, and monitor the operating characteristics for the entire Verified by Visa 
service. As such, there is a need to incorporate transaction integrity and data 
quality as is typical of any VisaNet service offered to Issuers. VisaGold must 
incorporate as much automated or systematic controls as possible so that 
management of this service is efficient for Visa, Issuers, and participating 
Merchants. 



3 VisaGold Approach 

3. 1 VisaGold Business Requirements 

The business requirements that relate to VisaGold processing are below. The 
VisaGold solution must: 

1 . Increase market momentum of the 3-D Secure rollout. 
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2. Require no changes to the 3-D Secure protocol. 

3. No/minimal changes to installed ACS or merchant software. 

4. In the future, VisaGold will allow Merchant Plug-ln's (MPI) and ACS's to 
migrate to newer versions of the 3-D Secure protocol independently of each 
other. VisaGold will provide compatibility between these end points via a 
standardized certification process similar to the VisaNet Certification 
Management System (VCMS). The requirements for this certification process 
are outside the scope of this document. 

3.2 VisaGold Service and Technical Requirements 

The service and technical requirements that relate to VisaGold processing are 
below. The VisaGold solution must: 

1. Support 3-D Secure message versions 1.0.1 and later. VisaGold will not 
support 3-D Secure message versions prior to 1 .0.1 . VisaGold only supports 
the Core Protocol requirements. 

2. Receive and route VEReq transactions from the Directory Server (DS) to the 
appropriate ACS, return the VERes from the ACS to the DS, and log both 
messages with the ability to associate the VERes with the VEReq. 

3. Receive and route PAReq transactions from an MPI to an ACS, return the 
PARes from the ACS to the MPI, and log both messages with the ability to 
associate the PARes with the PAReq. 

4. Systematically associate a VEReqA/ERes message pair with the 
corresponding PAReq/PARes message pair. 

5. Process and log all activity that occurs between the cardholder and an ACS 
during the authentication process. If an ACS fails to respond to any request 
from a cardholder within the specified timeout interval, VisaGold must be able 
to generate a response on behalf of the ACS, including the submission of a 
PATransReq to the Authentication History Server (AHS) and handling a 
PATransRes from the AHS. 

6. Validate the format and content of the data values in each supported 
message. Supported messages include, VEReq, VERes, PAReq, PARes, 
PATransReq, and PATransRes. 

7. Provide an interface to define, configure, and administer the VisaGold 
operating parameters. These parameters will include at least the following: 
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• VERes timeout value 

• VERes timeout response 

• PARes timeout value 

• PARes timeout response 

• Authentication page timeout value 

• Authentication page timeout response 

• Client certificate configuration 

• Primary and Second AHS URL 

• Number of times to attempt connecting to the AHS during PATransReq 
processing 

• PATransRes timeout value 

• PATransReq retry count 

6. Support any HTML 3+ capable Internet client without requiring the use of 
JavaScript, cookies, or limitation of any kind on the client's chosen hardware 
or operating system, regardless of version, or other service limiting features. 

7. Support 500 page views per second and 100 3-D Secure messages per 
second per machine. The average time for processing any one page view 
must not exceed 0.5 seconds. The average time required to process any one 
3-D Secure message must not exceed 0.5 seconds, excluding the time 
associated with the DS, ACS, or other 3-D Secure component's processing 
time. 

Note: Performance measurements will be calculated using a series of pages 
with the least possible content (no graphics/images, links, external 
references, etc.) and only sufficient text to allow the page to proceed to the 
next processing step. The service operator will calibrate performance of the 
production service, with live pages, through a separate exercise. 

8. Meet 99.9% availability, 24x7x365 with no downtime during VisaGold service 
updates. 

9. Not require the sharing of data or system components across multiple 
VisaGold servers, i.e., any one individual VisaGold component must not be 
reliant on any other VisaGold service component in order to complete the 
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functions described in this document. The requirement excludes the 
networking infrastructure require to support communication to the VisaGold 
service components. Failure of any one service component must not impact 
the availability or any other service component. 

Note: No other option, regardless of capability, is acceptable. 

10. All logging must conform to the NCSA extended/combined log format. All 
logs must be rolled - renamed with a date and timestamp - once per day and 
at end of each day. Analysis of VisaGold logs will occur on a separate 
reporting platform (See VisaGold Reporting Requirements section). 

1 1 . Conform and comply with Visa's Cardholder Information Security Program 
(CISP) requirements. 

12. Use a web server platform which supports the following service support 



areas: 


a. 


Authentication, Authorization, and Access Control 


b. 


CGI: Dynamic Content with CGI 


c. 


Configuration Files 


d. 


Content negotiation 


e. 


Environment Variables 


f. 


General Performance 


g- 


Handlers 


h. 


Log File§. 


i. 


Security 


j- 


Server Side Includes 


k. 


Server-Wide Configuration 


I. 


URL Mapping 


m. 


URL Rewriting 


n. 


Virtual Hosts 



3.3 VisaGold Process Flow 

This section describes the Activation Anytime process flow. Refinements may be 
needed as the business requirements and service rules are evaluated. 

The VisaGold process flow approach introduces the concept of a centralized 
switching device to support the processing of 3-D Secure messages and routing 
of a cardholder to ACS. VisaGold provides Visa with the ability to: 

1 . Monitor, record, and report on the VEReqA/ERes and PAReq/PARes 
message flows. 
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2. Provide a response on behalf of an ACS if the ACS is not available or 
does not respond in a timely manner. • 

3. Increase the number and percentage of fully authenticated purchases and 
reduce breakage associated with cardholder abandonment during the 
check out process at 3-D Secure-enabled merchant sites. 

The steps below described the transaction flow for VisaGold in the 3-D Secure 
model: 



/CARDHOLDER^ 



MERCHANT 



Acquirer 




Access 
Control 



Interoperability Acquirer 



Steps 


Description of Steps in the VisaGold Flow 


Step 1 


Shopper browses at merchant site, adds items to shopping cart, 
and then finalizes purchase. (Note: Merchant now has all 
necessary data, including PAN.) 


Step 2 


Merchant Server Plug-in (MPI) sends PAN to the Visa 
Directory. 
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Step 3 


If PAN is in participating card range, Visa Directory queries 
VisaGold to determine whether authentication is available for 
the FAN. 


Step 4 


VisaGold responds to Visa Directory with an enrolled response. 

Note: VisaGold does not forward the VEReq message to the. 
ACS at this point. VisaGold generates and returns an acctID, 
url, and enrolled status of "Y" for all Visa cards. 


Step 5 


Visa Directory forwards VisaGold response to MPI. 


Step 6 


MPI sends Payer Authentication Request to VisaGold via 
shopper's device. 


Step 7a 


VisaGold receives Payer Authentication Request. VisaGold 
queries appropriate Access Control Server (ACS) to determine 
whether authentication is available for the PAN. 


Step 7b 


ACS responds to VisaGold with an enrolled response. 


Step 7c 


If the cardholder is enrolled, VisaGold relays the Payer 
Authentication Request message to the ACS. If the cardholder 
is not enrolled, VisaGold returns an attempted or unable 
authenticate response to the MPI (see Step 9, 9c, and 9dj. 


Step 8 


VisaGold relays all interactions between the shopper and ACS. 

ACS authenticates shopper using processes applicable to PAN 
(Password, Chip, PIN, etc.). j 

ACS formats Payer Authentication Response message with 
appropriate values and signs it. 


Step 9 


ACS returns Payer Authentication Response to MPI via 
shopper's device. ACS sends selected data to Authentication 
History. 


Step 9a 


ACS sends the Payer Authentication Transaction Receipt to 
VisaGold. 


Step 9b 


VisaGold send the Payer Authentication Transaction Receipt to ■ 
the Authentication History Server (AHS). 


Step 9c 


The AHS sends the Payer Authentication Transaction Receipt 
response to VisaGold. 

Note: If VisaGold generates the Payer Authentication 
Response, VisaGold sends the Payer Authentication 
Transaction Receipt to AHS. 


Step 9d 


VisaGold returns the Payer Authentication Transaction Receipt 
response to ACS. 
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Step 10 


MPI receives Payer Authentication Response and validates 
Payer Authentication Response signature. 


Step 1 1 


Merchant proceeds with authorization exchange with its 
Acquirer. 
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3 A VisaGold Reporting Requirements 

This section describes the VisaGold reporting requirements. Refinements may 
be needed as the business requirements and service rules are evaluated. The 
VisaGold reporting solution must provide reporting in the aggregate and by date, 
including day of week, and hour for the requirements listed below. The reporting 
tool must provide the ability to generate ad hoc user defined queries. 

1. Total number of page hits, including page hits by page, and errors 

2. Aggregate information and information sorted by referring Internet site, or 
BIN, or 3-D Secure message version: 

a. Number of VEReq messages received 

b. Number of VERes's returned, sorted by: 

i. 'Timed out waiting on response from ACS" 

ii. "Error connecting to ACS (non-timeout condition)" 

iii. "N" - no enrollment option available 

iv. "IT - not eligible to enroll 

v. "Y" - enrolled 

vi. "Other error/response received (not defined above)" 

vii. Minimum, maximum, and average response time for 
VEReqA/ERes processing in total and by ACS 

c. Number of PAReq's received 

d. Number of authentication pages received, sorted by: 

i. "Timed out waiting on response from ACS" 

ii. "Error connecting to ACS (non-timeout condition)" 

iii. "Other error/response received (not defined above)" 



© 2003 Visa U.S.A. Inc. This information is Confidential and Proprietary, is distributed 
only by Visa U.S.A. for the use exclusively in operating this Visa-sponsored program, and 
shall not be duplicated, published, or disclosed, in whole or in part, without the written 
permission of Visa U.S.A. 



9 



3-D Secure Business Requirements and Technical Approach 

VisaGold 

May 2003 



<Extension id-Visa. 3ds.activation_anytime" critical="false"> 
<passwordreset>fully qualified URL</passwordreset> 
<issueremail>lssuer VbV Email Address</issueremail > 
<issuerphone>lssuer Customer Service Phone Number</issuerphone> 
<issuerprograminfo>fully qualified URL</issuerprograminfo> 
<issuerenrollment> fully qualified URL</issuerenrollment> 

</Extension> 



Related Documents 

This section describes related documents that contain additional requirements 
and/or clarification of processing requirements for the VisaGold service. 

1. Cardholder Information Security Program, Version 5.5 

2. 2. 3-D Secure™ Protocol Specification, Core Functions, 70000-01 v 1.0.2, 
Updated 9/16/02 

The one on the paytech site is Updated 7/16/02 with Errata as of 01/16/03. 
See http://internationaLvisa.com/fb/paytech/secure/main.isp . 
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